CVE-2021-39154

CWE-434Unrestricted File UploadCWE-502Deserialization of Untrusted Data9 documents8 sources
Severity
8.5HIGH
EPSS
0.7%
top 28.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
X-stream XstreamXstream XstreamDebian Debian Linux+12 more
Timeline
PublishedAug 23
Latest updateMar 13

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages15 packages

NVDxstream/xstream< 1.4.18
CVEListV5x-stream/xstream< 1.4.18
Debianlibxstream-java< 1.4.15-3+deb11u1+3
NVDoracle/utilities_framework7 versions+6

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
XStream is vulnerable to an Arbitrary Code Execution attack2021-08-25
GHSA
XStream is vulnerable to an Arbitrary Code Execution attack2021-08-25
OSV
CVE-2021-39154: XStream is a simple library to serialize objects to XML and back again2021-08-23
CVEList
XStream is vulnerable to an Arbitrary Code Execution attack2021-08-23

📋Vendor Advisories

4
Ubuntu
XStream vulnerabilities2023-03-13
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (XStream) — CVE-2021-391542022-01-15
Red Hat
xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue2021-08-22
Debian
CVE-2021-39154: libxstream-java - XStream is a simple library to serialize objects to XML and back again. In affec...2021